Bump github/codeql-action from 3.27.0 to 3.27.1

[dependabot]

Bumps github/codeql-action from 3.27.0 to 3.27.1.

Release notes

Sourced from github/codeql-action's releases.

v3.27.1

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

Note that the only difference between v2 and v3 of the CodeQL Action is the node version they support, with v3 running on node 20 while we continue to release v2 to support running on node 16. For example 3.22.11 was the first v3 release and is functionally identical to 2.22.11. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers.

3.27.1 - 08 Nov 2024

• The CodeQL Action now downloads bundles compressed using Zstandard on GitHub Enterprise Server when using Linux or macOS runners. This speeds up the installation of the CodeQL tools. This feature is already available to GitHub.com users. #2573
• Update default CodeQL bundle version to 2.19.3. #2576

See the full CHANGELOG.md for more information.

Commits

• 4f3212b Merge pull request #2585 from github/update-v3.27.1-3ef4c0845
• 63b548d Update changelog for v3.27.1
• 3ef4c08 Merge pull request #2576 from github/update-bundle/codeql-bundle-v2.19.3
• 4e033f0 Merge branch 'main' into update-bundle/codeql-bundle-v2.19.3
• 5ac2ddd Merge pull request #2580 from jsoref/minor-cleanup
• 3b7b85f Conditionally clear runner cache
• 688ea53 Fix publish-immutable-action version
• 1e6d67b Give expected-queries-runs permissions
• d5e7384 Strip trailing whitespace generated by ruamel-yaml
• 756aa64 spelling: macos
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[saidsef]

/code pr

[saidsef]

🤖
Changes:

1. Github/codeql-action dependency updated from version 3.27.0 to 3.27.1.

   • The code changes in the workflows (.github/workflows/charts.yml and .github/workflows/scorecard.yml) from Init and Analyze actions are not significant as they primarily set up and run the tool. Nevertheless, we can be sure the newer version has beneficial fixes and improvements.
   • It's advisable to review themojа release notes for any additional features, optimizations, and bug fixes that may have an impact on this codebase.

2. Trivy vulnerability scanner section (added lines are in green, deleted ones are in red):

   - name: Initialize CodeQL
   - uses: github/codeql-action/[email protected]
   + name: Initialize CodeQL
   + uses: github/codeql-action/[email protected]
     continue-on-error: true
   - name: Perform CodeQL Analysis
   - uses: github/codeql-action/[email protected]
   + name: Perform CodeQL Analysis
   + uses: github/codeql-action/[email protected]
     continue-on-error: true
   - name: Run Trivy vulnerability scanner
     uses: aquasecurity/trivy-action@master
   - name: Store Trivy scan results as a SARIF file
   - run: |
   -   trivy fs --ExitCode 0 --format sarif --output trivy-results.sarif --ignore-unfixed
   - name: Upload Trivy scan results to GitHub Security tab
   - uses: github/codeql-action/[email protected]
   + name: Upload Trivy scan results to GitHub Security tab
   + uses: github/codeql-action/[email protected]

Comments:

1. Minor code consistency adjustments where minor adjustments to workflow references were made, implied by the commit.
2. No action required for review of the Trivy section changes, as the tool version upgrade is solely for minor patch updates including bug fixes and sometimes including optimizations. You should always review the tool's documentation/release notes when assessing vulnerability scanner updates.
3. Ensure the modifications do not introduce new security issues or performance regressions.
4. The reviewed changes are significant but don't strictly invalidate the existing code quality metrics generated by the CodeQL tool.
5. Test the changes before merging to ensure that Trivy still functions as expected and doesn't introduce unforeseen issues.
6. If software versions used in this PR aren't critical (other than CodeQL), it might be better to wait for more significant version upgrades before merging. They often have widespread effects on bug fixes and security patches.

_{> HuggingFaceH4/starchat2-15b-v0.1 [pr | 1]}

[saidsef]

/code pr

[saidsef]

🤖
This is a straightforward dependency update PR that bumps the GitHub CodeQL action from v3.27.0 to v3.27.1. The changes look safe and appropriate:

1. In charts.yml, three instances of the CodeQL action are updated from v3.27.0 to v3.27.1:

   • init action
   • analyze action
   • upload-sarif action

2. In scorecard.yml, the upload-sarif action hash is updated while maintaining the same version comment (v2.22.11).

Being a patch version bump (3.27.0 → 3.27.1), this update should only contain backwards-compatible bug fixes. The changes appear correct and consistent across the workflow files.

✅ This PR can be safely merged as it's a minor security tooling update with no functional changes to the workflows themselves.

_{> claude-3-5-sonnet-20241022 [pr | 1]}